IN THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1 . (Currently amended) A method for assembling fragmented network traffic, comprising: 
detecting in the fragmented network traffic an anomaly that could result in two or more 

fragments contained in the fragmented network traffic being reassembled at a monitoring node to 

obtain a reassembled data flow that is different than a corresponding data as reassembled at a 

destination node to which the fragmented network traffic is addressed; 

initiating in response to detecting said anomaly expanded buffering of fragments 

contained in said fragmented network traffic; and 

performing furth e r proc e ssing on th e fragm e nt e d n e twork traffic having the anomaly; 

wh e r e in performing furth e r processing compris e s a query to determin[[ing]]e configuration 

information associated with how the destination node is configured to reassemble overlapping 

fragments. 

2. (Original) A method as recited in claim 1 wherein detecting an anomaly comprises 
determining that said two or more fragments overlap." 

3. (Original) A method as recited in claim 2 wherein determining that said two or more 
fragments overlap comprises reading a header value associated with one of the fragments. 

4. (Original) A method as recited in claim 3 wherein the header value comprises an offset 
value. 

5. (Original) A method as recited in claim 1 wherein detecting an anomaly comprises 
determining that said two or more fragments overlap and that at least two of said fragments 
comprise different data for an overlapping portion of said fragments. 

6. (Cancelled) 
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7. (Currently amended) A method as recited in claim [[6]] i wherein performing a query 
includes dotormining configuration information compris e s querying the destination node. 

8. (Currently amended) A method as recited in claim [[6]] i wherein performing a query 
includes dotormining configuration information compris e s querying an information base, 

9. (Original) A method as recited in claim 1 wherein performing fiirther processing 
comprises reassembling the fi-agmented network traffic to generate more than one variant of the 
reassembled data flow. 

10. (Original) A method as recited in claim 1 fiirther including processing the anomaly to 
determine whether the fragmented network traffic is associated with a threat. 

1 1 . (Original) A method as recited in claim 1 fiirther including performing an action on the 
fragmented network traffic based on whether the fragmented network traffic is associated with a 
threat. 

12. (Original) A method as recited in claim 1 fiirther including discarding at least a portion of 
the fragmented network traffic if the fragmented network traffic is associated with a threat. 

13. (Original) A method as recited in claim 1 fiirther including copying one or more 
fragments comprising the fragmented network traffic to a buffer. 

14. (Original) A method as recited in claim 1 wherein performing fiirther processing 
comprises sending an alert. 

15. (Original) A method as recited in claim 1 wherein performing fiirther processing 
comprises determining whether the fragmented network traffic should be blocked. 
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16. (Original) A method as recited in claim 1 wherein performing further processing 
comprises determining whether the fragmented network traffic should be forwarded to the 
destination node. 

17. (Canceled) 

18. (Previously presented) A method as recited in claim 1 wherein detecting an anomaly 
comprises determining that two or more fragments contained in said fragmented network traffic 
have overlapping portions. 

19. (Previously presented) A method as recited in claim 1 wherein detecting an anomaly 
comprises determining that two or more fragments contained in said fragmented network traffic 
have mismatching overlapping portions. 

20. (Currently amended) A system for assembling fi*agmented network traffic, comprising: 
a memory configured to store at least a portion of the fragmented network traffic; and 
a processor configured to: 

detect in the fragmented network traffic an anomaly that could result in two or 
more fragments contained in the fragmented network traffic being reassembled at a 
monitoring node to obtain a reassembled data flow that is different than a corresponding 
data as reassembled at a destination node to which the firagmented network traffic is 
addressed; 

initiate in response to detecting said anomaly expanded buffering of fragments 
contained in said fragmented network traffic; and 

perform furth e r processing on th e fragm e nt e d n e twork traffic having the anomaly; 
wh e r e in performing furth e r proc e ssing compris e s a query to determin[[ing]]e 
configuration information associated with how the destination node is configured to 
reassemble overlapping fragments. 

2 1 . (Currently amended) A computer readable storage medium comprising computer 
instructions for assembling fragmented network traffic, including instructions for: 
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detecting in the fragmented network traffic an anomaly that could result in two or more 
fragments contained in the fragmented network traffic being reassembled at a monitoring node to 
obtain a reassembled data flow that is different than a corresponding data as reassembled at a 
destination node to which the fragmented network traffic is addressed; 

initiating in response to detecting said anomaly expanded buffering of fragments 
contained in said fragmented network traffic; and 

p e rforming further proc e ssing on th e fragment e d n e twork traffic having tho anomaly; 
wh e r e in performing furth e r proc e ssing compris e s a query to determin[[ing]]e configuration 
information associated with how the destination node is configured to reassemble overlapping 
fragments. 

22. (Previously presented) The system of claim 20 wherein performing a query includes 
d e t e rmining configuration information compris e s querying the destination node. 

23. (Previously presented) The system of claim 20 wherein performing a query includes 
det e rmining configuration information compris e s querying an information base. 
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